National Security Advisor John Bolton says that given that the U.S. is under attack daily from cyberspace, including attempts to "undermine democracy," the U.S. would now use offensive as well as defensive cyber strategies to counter that threat, though he would not said exactly what that offense would entail.
That is a change from policy under President Barack Obama, he said, when offense was not part of the playbook.
Bolton said the Administration was committed to preserving "the long-term openness, interoperability and security and reliability of the internet."
Bolton's comments came in a briefing with reporters Thursday (Sept. 20) on the Trump Administration's National Cyber Strategy presidential directive, which President Donald Trump has signed off on.
The unified cyber strategy recognizes that it has been a struggle to respond, and that it will take a thriving tech sector to succeed.
There are four pillars to the strategy, Bolton said.
1) Protect the people, homeland and way of life, which includes securing critical infrastructure and combating cyber crime
2) Promoting American prosperity, including by fostering the digital economy and developing a superior cyber work force
3) Peace through strength, including countering and deterring destabilizing conduct. He said there will be both offensive and defensive cyber operations, which he signaled was a break with the Obama Administration.
4) Advancing American influence. Bolton said that includes "preserving the long-term openness, interoperability and security and reliability of the internet," while "promoting market growth for infrastructure and emerging technology and building cyber capacity internationally."
There is also classified portion to the strategy. Bolton was not talking about that part, but that portion deals primarily with repealing an Obama-era directive on offensive operations.
The unified cyber strategy is effective immediately, though the rollback of the Obama limit on offensive cyber actions occurred several weeks ago, he said.
Bolton was asked if the U.S. was in a cyber war. Bolton said he would not go that far, but that the President had determined that it was in the country's interest to take offensive action, and to send that signal, as a way to deter attacks.
Bolton said no one should be under the impression that defense measures alone would solve the problem. He said like a biodefense strategy, the cyberstrategy document the President has signed is a living document.
Bolton said the Obama Administration had tied the country's hands in terms of responding to cyber attacks.
Asked how the decision would be made to respond to an attack offensively, he said he didn't plan to telegraph any strategy.
Bolton said the actions are versus foreign adversaries and has nothing to do with putting Americans' privacy at risk, but instead to deter adversaries from hostile actions, including attacks on that privacy.
He said to the extent the military is involved, they will follow the same strictures and structures. He said the people that need to worry are criminal actors.
"As I have made clear since my election as President, my Administration will use all available means to keep America safe from cyber threats," the President said in a statement. "The National Cyber Strategy that I have released today is an important step in keeping that promise.
"We cannot ignore the costs of malicious cyber activity—economic or otherwise—directed at America’s Government, businesses, and private individuals. Guided by this National Cyber Strategy, the Federal Government will be better equipped to protect the American people, the American homeland, and the American way of life."
Sen. John Warner (D-Va.), vice chair of the Senate Intelligence Committee was looking for more. "The White House strategy document outlines a number of important and well-established cyber priorities. We need to focus on growing the cyber workforce, promoting more secure development and security across product lifecycle, establishing norms of responsible state behavior, leveraging federal procurement power to drive better security, and publicly attributing and punishing adversaries who violate those standards. The Administration must now move beyond vague policy proposals and into concrete action towards achieving those goals.”